Act is aimed at financial institutions and is enforced by eight separate federal
agencies and the states. Gramm-Leach-Bliley provides
for a fairly broad interpretation of the phrase “financial
institution” and not only affects banks, insurance companies, and security
firms, but also brokers, lenders, tax preparers, and real estate settlement
companies, among others.
How does this Act affect your storage systems? One major
component of Gramm-Leach-Blileyrequires
that safeguards be in place to protect your customers’ private financial
information. Here is an excerpt from the Act, the full text of which can be
found at the link above.
In furtherance of the policy in subsection (a) of this section, each agency or
authority described in section 6805(a) of this title shall establish
appropriate standards for the financial institutions subject to their
jurisdiction relating to administrative, technical, and physical safeguards –
(1) to insure the security and confidentiality of customer
records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity
of such records; and
(3) to protect against unauthorized access to or use of such records or information
which could result in substantial harm or inconvenience to any customer.”
Another section of Gramm-Leach-Bliley indicates that
institutions must “develop, implement, and maintain a comprehensive
written information security program that contains administrative, technical,
and physical safeguards that are appropriate to the size and complexity of the
entity, the nature and scope of its activities, and the sensitivity of any
What should you do to comply?
At present, the language in the Act is fairly broad and
could be interpreted as providing a pretty loose standard by which institutions
must protect customer information. I would anticipate that the recent problems
with companies like ChoicePoint, LexisNexis,
and at many colleges and universities will eventually lead to changes in this
wording that make it stricter, even though the affected companies aren’t
necessarily covered by Gramm-Leach-Bliley.
Today’s interpretation of Gramm-Leach-Bliley calls for
controls on customer data, the strength of which are proportional to the
sensitivity of the information being stored. What this means is that your data
security goes well beyond your storage device alone and, in fact, encompasses a
company’s policies and procedures as well as the hardware that maintains the
When it comes to policies and procedures, you need to define
who can access which data, and under what circumstances. Further, you should
log access to sensitive customer information to help provide accountability and
provide a deterrent to insiders that threaten customer privacy.
Your actual storage system should actually be secondary. As
long as it’s protected from unauthorized access, and you know who has permissions, when someone accessed information, and why, your company will be able to
conduct business, even with Gramm-Leach-Bliley in place.
The short version: Your storage system should be protected
from any and all outside and unauthorized access. Most intrusions are
accomplished from inside the corporate firewall, so a single layer of defense
is not enough. Further, don’t forget about VPN access, which can be used for
both legitimate as well as nefarious purposes. You must have technical solutions
and policies in place that protect data. Anything less is both illegal, and—in
these days of data and identity theft—irresponsible.
TechRepublic’s free Storage NetNote newsletter is designed to help you manage the critical data in your enterprise. Automatically sign up today!